Jump to content

ping.exe/malware removal - requesting help


PDXJim

Recommended Posts

Merry Christmas Eve Eve!

Looks like this is a popular topic on the forums, but I'll start at the top.

A couple days ago, my wife's laptop was infected with xp security 2012. I removed it (or so it appears) by following this guide that allowed me to finally run mbam:

http://www.bleepingcomputer.com/virus-removal/remove-xp-internet-security-2012

As part of that guide, I first ran TDSKiller, but it didn't report any problems. However, Mbam found and removed about 18 infected objects. Things appeared fine, but then yesterday I noticed a process called ping.exe was hogging tons of resources. If I kill it in task manager, it keeps coming back. Furtermore, I am seeing thousands of new files in my temporary internet folder (some of which are showing up as infected if I re-run mbam). Worst of all, I have McAfee Antivirus Plus installed (alas, disabled at the time of infection), and while it was doing a scan, I kept getting messages that it was blocking accesses to some unknown IP address that originated from this Ping program. Checking the McAfee security report, the latest count of attempted (and blocked) accesses is 86, and that number continues to slowly go up over time.

So I think it's safe to say that something screwed up is going on in my system, and I would greatly appreciate any help that anybody here might be able to offer. And I understand it's a holiday weekend, so no worries if this isn't looked at for a while.

As per the instructions in the sticky'd post, I ran DDS and am posting the two logs it generated. dds.txt is cut-n-pasted below, while I have attached attach.txt as an attachment to this post (hope it works).

Thank you!

- Jim

dds.txt:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Tish at 21:58:02 on 2011-12-23

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1570 [GMT -8:00]

.

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

C:\WINDOWS\system32\mfevtps.exe

C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Intel\IntelAppStoreBeta\bin\serviceManager.exe

C:\program files\real\realplayer\update\realsched.exe

C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\SAMSUNG\MagicKBD\MagicKBD.exe

C:\Program Files\SAMSUNG\MagicKBD\PerformanceManager.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\igfxext.exe

C:\Program Files\Panasonic\PHOTOfunSTUDIO\PhAutoRun.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\ping.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = https://www.google.com/

uSearch Page = hxxp://www.google.com

uDefault_Page_URL = hxxp://www.msn.com

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/redirectdomain?brand=SMSN&bmod=SMSN

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

uURLSearchHooks: Vgrabber Toolbar: {b2ed7faf-72a0-46d1-9d9d-602226f5cb9f} - c:\program files\vgrabber\prxtbVgra.dll

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111222025202.dll

BHO: Freecause Toolbar BHO: {a3b061b6-a39a-439a-8098-b3710f6388f6} - c:\program files\oregon state beavers toolbar\Toolbar.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Vgrabber Toolbar: {b2ed7faf-72a0-46d1-9d9d-602226f5cb9f} - c:\program files\vgrabber\prxtbVgra.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Oregon State Beavers Toolbar: {8bc7446d-bede-476f-b34c-ce1664fdb330} - c:\program files\oregon state beavers toolbar\Toolbar.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: Vgrabber Toolbar: {b2ed7faf-72a0-46d1-9d9d-602226f5cb9f} - c:\program files\vgrabber\prxtbVgra.dll

TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Google Update] "c:\documents and settings\tish\local settings\application data\google\update\GoogleUpdate.exe" /c

mRun: [EDS] c:\program files\samsung\samsung eds\EDSAgent.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [DMHotKey] c:\program files\samsung\easy display manager\DMLoader.exe

mRun: [batteryManager] c:\program files\samsung\samsung battery manager\BatteryManager.exe

mRun: [MagicKeyboard] c:\program files\samsung\magickbd\PreMKBD.exe

mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe

mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [intel AppUp(SM) center Beta] "c:\program files\intel\intelappstorebeta\bin\serviceManager.lnk"

mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [sunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photof~1.lnk - c:\program files\panasonic\photofunstudio\PhAutoRun.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html

IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll

LSP: mswsock.dll

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1247035790546

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.11.1

TCP: Interfaces\{85C3505C-7370-4E80-88F3-DDDA5A653495} : DhcpNameServer = 192.168.11.1

Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

============= SERVICES / DRIVERS ===============

.

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-1-10 464176]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-1-10 89792]

R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2009-4-1 4300]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-1-21 94880]

R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-1-10 214904]

R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-1-10 214904]

R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-1-10 214904]

R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-1-10 166288]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-1-10 160608]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-1-10 150856]

R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc --> RUNDLL32.EXE ykx32mpcoinst,serviceStartProc [?]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-1-10 57600]

R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [2008-1-14 30208]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-1-10 180816]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-1-10 59456]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-1-10 338176]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-1-10 83856]

R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [2009-4-1 238464]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-7 136176]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-6-7 136176]

S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-1-10 83856]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-1-10 87656]

S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2011-12-22 50704]

S3 SUEPD;SUE NDIS Protocol Driver;c:\windows\system32\drivers\SUE_PD.sys [2006-8-1 19840]

.

=============== Created Last 30 ================

.

2011-12-24 05:13:33 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-12-24 05:13:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-12-22 08:39:04 50704 ----a-w- c:\windows\system32\drivers\npf.sys

2011-12-22 08:39:04 281104 ----a-w- c:\windows\system32\wpcap.dll

2011-12-22 08:39:04 100880 ----a-w- c:\windows\system32\Packet.dll

2011-11-25 23:36:39 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll

2011-11-25 23:36:39 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll

2011-11-25 23:36:39 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll

2011-11-25 23:36:39 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll

2011-11-25 23:36:39 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll

2011-11-25 23:36:39 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll

2011-11-25 23:36:39 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll

2011-11-25 23:28:51 -------- d-----w- c:\program files\iPod

2011-11-25 23:13:58 -------- d-----w- c:\program files\Bonjour

.

==================== Find3M ====================

.

2011-12-10 04:22:21 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-09 21:34:30 348160 ----a-w- c:\windows\system32\msvcr71.dll

2011-11-09 21:34:29 499712 ----a-w- c:\windows\system32\msvcp71.dll

2011-10-24 22:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2011-10-24 22:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts

2011-10-18 22:32:30 150856 ----a-w- c:\windows\system32\mfevtps.exe

2011-10-15 21:16:16 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2011-10-15 21:16:16 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2011-10-15 21:16:16 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2011-10-15 21:16:16 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2011-10-15 21:16:16 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2011-10-15 21:16:16 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys

2011-10-15 21:16:16 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2011-10-15 21:16:16 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2011-10-15 21:16:16 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2011-10-15 21:16:16 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-26 18:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 18:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 18:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2009-12-30 23:09:50 2959376 ----a-w- c:\program files\dotnetfx35setup.exe

.

============= FINISH: 21:59:03.06 ===============

attach.txt

Link to post
Share on other sites

Hello PDXJim and welcome to Malwarebytes! :welcome:

I apologize for the delay.

I am D-FRED-BROWN and I will be helping you. :)

Please print or save this topic: it will make it easier for you to follow the instructions and complete all of the necessary steps.

-------------

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore

    [*]Press "Scan".

    [*]It will create a log (FSS.txt) in the same directory the tool is run.

    [*]Please copy and paste the log to your reply.

-------------

Please download to your Desktop:

  • TDSSKiller.zip from here and extract it (right click on it => "Extract here").

>>> TDSSKiller: Double-click on TDSSKiller.exe to run the application.

  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue tdsskiller2.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue tdsskiller3.png
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

In your next reply, please include the following (you may need to use two posts to get it all in):

  • TDSSKiller_log.txt
how the PC is running now?
-------------
Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
***IMPORTANT: save ComboFix to your Desktop***
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Please go here to see a list of programs that should be disabled.
**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**
Please include the C:\ComboFix.txt in your next reply for further review.
Also, please let me know if any problems still remain.
-------------
Please print out these instructions or copy them to a Notepad file for an easier reading and download MBRCheck by a_d_13 to your Desktop from one of these locations:
http://ad13.geekstogo.com/MBRCheck.exe
http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe
http://www.kernelmode.info/MBRCheck.exe
Close all opened programs/ windows and double-click on MBRCheck.exe.
It will produce a log file saved automatically on your Desktop as "MBRCheck_[Date]_[Time].txt".
Press the "Enter" key to close the MBRCheck window and post the contents of the log file.
-------------
In your next reply, please include:
  • FSS.txt
  • TDSSKiller report
  • C:\ComboFix.txt
  • MBRCheck report

How is your computer running now?

Link to post
Share on other sites

Merry Christmas D-FRED-BROWN, and thank you so much for the help.

I've completed running all 4 programs, and will post the log for each in 4 separate replies. Everything went swimmingly for the first 3 steps (TDSKiller found one infected file that I continued with Curing and rebooted, while Combofix immediately started with a pop-up box informing me that I had something called (approximately) zeroaccess.rootkit in my tcp/ip stack, but everything seemed smooth-sailing from there). However when I tried running MBRCheck, I got a message that it couldn't identify a physical drive. I tried hitting 'Y' for more options, then selected dumping the drive to a file, but when I didn't understand the next question, I hit -1 to Exit (I believe this is all shown in the log file).

As for how my computer is running, I noticed that after running TDSKiller and rebooting, I no longer see ping.exe in my Task Manager. This continues to be true after running Combofix. Furthermore, my McAfee Security Report is holding steady at 97 risky attempts (all blocked), with no additional accesses being logged since undertaking the above steps. So things are looking pretty good from this end.

One note about McAfee - I have McAfee Antivirus Plus (offered free from my employer), and there is no option to completely Exit it from the taskbar. The best I can do is open it, and disable active scanning, which I did before running Combofix, so hopefully that was enough to prevent bad interactions (as I said, Combofix seemed to run normally and remove several files, as shown in the log file).

With all that out of the way, on to the log files. First up is the FSS log, and I'll put the other log files in their own separate responses.

FSS.txt:

Farbar Service Scanner

Ran by Tish (administrator) on 25-12-2011 at 15:30:32

Microsoft Windows XP Home Edition Service Pack 3 (X86)

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Yahoo IP is accessible.

Windows Firewall:

=============

sharedaccess Service is not running. Checking service configuration:

The start type of sharedaccess service is set to Disabled. The default start type is Auto.

The ImagePath of sharedaccess service is OK.

The ServiceDll of sharedaccess service is OK.

Firewall Disabled Policy:

==================

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"EnableFirewall"=DWORD:0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall"=DWORD:0

System Restore:

============

System Restore Disabled Policy:

========================

File Check:

========

C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit

C:\WINDOWS\system32\netman.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\srsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit

C:\WINDOWS\system32\svchost.exe => MD5 is legit

C:\WINDOWS\system32\rpcss.dll => MD5 is legit

C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:

=======

Gpc(6) IPSec(4) mfetdi2k(9) NetBT(5) PSched(7) Tcpip(3)

0x09000000040000000100000002000000030000000900000008000000050000000600000007000000

**** End of log ****

Link to post
Share on other sites

TDSSKiller_log.txt:

15:36:49.0265 0852 TDSS rootkit removing tool 2.6.25.0 Dec 23 2011 14:51:16

15:36:51.0703 0852 ============================================================

15:36:51.0703 0852 Current date / time: 2011/12/25 15:36:51.0703

15:36:51.0703 0852 SystemInfo:

15:36:51.0703 0852

15:36:51.0703 0852 OS Version: 5.1.2600 ServicePack: 3.0

15:36:51.0703 0852 Product type: Workstation

15:36:51.0703 0852 ComputerName: MINI_ME

15:36:51.0703 0852 UserName: Tish

15:36:51.0703 0852 Windows directory: C:\WINDOWS

15:36:51.0703 0852 System windows directory: C:\WINDOWS

15:36:51.0703 0852 Processor architecture: Intel x86

15:36:51.0703 0852 Number of processors: 2

15:36:51.0703 0852 Page size: 0x1000

15:36:51.0703 0852 Boot type: Normal boot

15:36:51.0703 0852 ============================================================

15:36:55.0015 0852 Initialize success

15:37:12.0609 0236 ============================================================

15:37:12.0625 0236 Scan started

15:37:12.0625 0236 Mode: Manual;

15:37:12.0625 0236 ============================================================

15:37:18.0515 0236 Abiosdsk - ok

15:37:18.0671 0236 abp480n5 - ok

15:37:19.0015 0236 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

15:37:19.0093 0236 ACPI - ok

15:37:19.0187 0236 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys

15:37:19.0187 0236 ACPIEC - ok

15:37:19.0203 0236 adpu160m - ok

15:37:19.0281 0236 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

15:37:19.0296 0236 aec - ok

15:37:19.0375 0236 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys

15:37:19.0390 0236 AFD - ok

15:37:19.0406 0236 Aha154x - ok

15:37:19.0421 0236 aic78u2 - ok

15:37:19.0437 0236 aic78xx - ok

15:37:19.0468 0236 AliIde - ok

15:37:19.0500 0236 amsint - ok

15:37:19.0593 0236 AR5416 (6eacc829e76b1efdface633619a3db31) C:\WINDOWS\system32\DRIVERS\athw.sys

15:37:19.0625 0236 AR5416 - ok

15:37:19.0625 0236 asc - ok

15:37:19.0656 0236 asc3350p - ok

15:37:19.0937 0236 asc3550 - ok

15:37:20.0000 0236 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

15:37:20.0015 0236 AsyncMac - ok

15:37:20.0171 0236 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

15:37:20.0171 0236 atapi - ok

15:37:20.0281 0236 Atdisk - ok

15:37:20.0328 0236 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

15:37:20.0328 0236 Atmarpc - ok

15:37:20.0421 0236 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

15:37:20.0421 0236 audstub - ok

15:37:20.0468 0236 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

15:37:20.0468 0236 Beep - ok

15:37:20.0578 0236 BTKRNL (48aad36baefb7820bfeb986763226905) C:\WINDOWS\system32\DRIVERS\btkrnl.sys

15:37:20.0593 0236 BTKRNL - ok

15:37:20.0671 0236 BTWUSB (053dc5be74621b63bb48c2b86bafc7b0) C:\WINDOWS\system32\Drivers\btwusb.sys

15:37:20.0671 0236 BTWUSB - ok

15:37:20.0734 0236 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

15:37:20.0750 0236 cbidf2k - ok

15:37:20.0765 0236 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

15:37:20.0765 0236 CCDECODE - ok

15:37:20.0796 0236 cd20xrnt - ok

15:37:20.0843 0236 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

15:37:20.0843 0236 Cdaudio - ok

15:37:20.0875 0236 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

15:37:20.0890 0236 Cdfs - ok

15:37:20.0921 0236 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

15:37:20.0921 0236 Cdrom - ok

15:37:21.0046 0236 cfwids (1dcb5209601a70e36c70fe8d197d62cb) C:\WINDOWS\system32\drivers\cfwids.sys

15:37:21.0046 0236 cfwids - ok

15:37:21.0062 0236 Changer - ok

15:37:21.0156 0236 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

15:37:21.0156 0236 CmBatt - ok

15:37:21.0171 0236 CmdIde - ok

15:37:21.0218 0236 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

15:37:21.0218 0236 Compbatt - ok

15:37:21.0250 0236 Cpqarray - ok

15:37:21.0281 0236 dac2w2k - ok

15:37:21.0296 0236 dac960nt - ok

15:37:21.0328 0236 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

15:37:21.0328 0236 Disk - ok

15:37:21.0390 0236 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

15:37:21.0406 0236 dmboot - ok

15:37:21.0468 0236 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

15:37:21.0468 0236 dmio - ok

15:37:21.0546 0236 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

15:37:21.0546 0236 dmload - ok

15:37:21.0640 0236 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

15:37:21.0640 0236 DMusic - ok

15:37:21.0718 0236 DNSeFilter (128ae3aedde1e3ae772c88320628fe7c) C:\WINDOWS\system32\drivers\SamsungEDS.sys

15:37:21.0718 0236 DNSeFilter - ok

15:37:21.0765 0236 DOSMEMIO (8a4cb9438571814b128b6dc30d698064) C:\WINDOWS\system32\MEMIO.SYS

15:37:21.0812 0236 DOSMEMIO - ok

15:37:21.0828 0236 dpti2o - ok

15:37:21.0859 0236 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

15:37:21.0875 0236 drmkaud - ok

15:37:21.0921 0236 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

15:37:21.0937 0236 Fastfat - ok

15:37:21.0953 0236 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

15:37:21.0968 0236 Fdc - ok

15:37:22.0046 0236 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

15:37:22.0046 0236 Fips - ok

15:37:22.0078 0236 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

15:37:22.0078 0236 Flpydisk - ok

15:37:22.0125 0236 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys

15:37:22.0140 0236 FltMgr - ok

15:37:22.0156 0236 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

15:37:22.0156 0236 Fs_Rec - ok

15:37:22.0203 0236 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

15:37:22.0218 0236 Ftdisk - ok

15:37:22.0265 0236 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

15:37:22.0265 0236 GEARAspiWDM - ok

15:37:22.0328 0236 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

15:37:22.0328 0236 Gpc - ok

15:37:22.0390 0236 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

15:37:22.0406 0236 HDAudBus - ok

15:37:22.0484 0236 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

15:37:22.0484 0236 HidUsb - ok

15:37:22.0500 0236 hpn - ok

15:37:22.0546 0236 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

15:37:22.0562 0236 HTTP - ok

15:37:22.0578 0236 i2omgmt - ok

15:37:22.0593 0236 i2omp - ok

15:37:22.0656 0236 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

15:37:22.0671 0236 i8042prt - ok

15:37:22.0921 0236 ialm (48846b31be5a4fa662ccfde7a1ba86b9) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys

15:37:23.0046 0236 ialm - ok

15:37:23.0218 0236 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

15:37:23.0218 0236 Imapi - ok

15:37:23.0265 0236 ini910u - ok

15:37:23.0500 0236 IntcAzAudAddService (32915772ccd5bc2bf9762195c002a949) C:\WINDOWS\system32\drivers\RtkHDAud.sys

15:37:23.0562 0236 IntcAzAudAddService - ok

15:37:23.0656 0236 IntelIde - ok

15:37:23.0734 0236 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

15:37:23.0734 0236 intelppm - ok

15:37:23.0765 0236 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys

15:37:23.0781 0236 Ip6Fw - ok

15:37:23.0812 0236 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

15:37:23.0828 0236 IpFilterDriver - ok

15:37:23.0875 0236 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

15:37:23.0875 0236 IpInIp - ok

15:37:23.0890 0236 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

15:37:23.0890 0236 IpNat - ok

15:37:23.0968 0236 IPSec (1da6c0c952319f33a54c16c024fe905a) C:\WINDOWS\system32\DRIVERS\ipsec.sys

15:37:23.0968 0236 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ipsec.sys. Real md5: 1da6c0c952319f33a54c16c024fe905a, Fake md5: 23c74d75e36e7158768dd63d92789a91

15:37:23.0968 0236 IPSec ( Rootkit.Win32.ZAccess.aml ) - infected

15:37:23.0968 0236 IPSec - detected Rootkit.Win32.ZAccess.aml (0)

15:37:24.0015 0236 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

15:37:24.0015 0236 IRENUM - ok

15:37:24.0093 0236 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

15:37:24.0140 0236 isapnp - ok

15:37:24.0187 0236 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

15:37:24.0187 0236 Kbdclass - ok

15:37:24.0281 0236 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

15:37:24.0281 0236 kbdhid - ok

15:37:24.0375 0236 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

15:37:24.0390 0236 kmixer - ok

15:37:24.0453 0236 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

15:37:24.0453 0236 KSecDD - ok

15:37:24.0484 0236 lbrtfdc - ok

15:37:24.0546 0236 MBAMSwissArmy - ok

15:37:24.0687 0236 mfeapfk (36b47b1e9c537f8f2b4481084b8f7d22) C:\WINDOWS\system32\drivers\mfeapfk.sys

15:37:24.0687 0236 mfeapfk - ok

15:37:24.0718 0236 mfeavfk (cde41293db871a75cd99eb0ce781356b) C:\WINDOWS\system32\drivers\mfeavfk.sys

15:37:24.0718 0236 mfeavfk - ok

15:37:24.0734 0236 mfeavfk01 - ok

15:37:24.0781 0236 mfebopk (e22385f64bdf0ad81157479496e33c4a) C:\WINDOWS\system32\drivers\mfebopk.sys

15:37:24.0781 0236 mfebopk - ok

15:37:24.0843 0236 mfefirek (215666a8a85023ef019b510cbb67f678) C:\WINDOWS\system32\drivers\mfefirek.sys

15:37:24.0859 0236 mfefirek - ok

15:37:24.0890 0236 mfehidk (56d330981866a72f061dd16cc5004513) C:\WINDOWS\system32\drivers\mfehidk.sys

15:37:24.0906 0236 mfehidk - ok

15:37:24.0937 0236 mfendisk (62acda4e958e2a392557ba3c6c754a58) C:\WINDOWS\system32\DRIVERS\mfendisk.sys

15:37:24.0937 0236 mfendisk - ok

15:37:24.0937 0236 mfendiskmp (62acda4e958e2a392557ba3c6c754a58) C:\WINDOWS\system32\DRIVERS\mfendisk.sys

15:37:24.0953 0236 mfendiskmp - ok

15:37:24.0984 0236 mferkdet (89b564d63c53fc0c6782ab07eea63acf) C:\WINDOWS\system32\drivers\mferkdet.sys

15:37:25.0000 0236 mferkdet - ok

15:37:25.0031 0236 mfetdi2k (922e64ca38e38106498fb3435a8e399d) C:\WINDOWS\system32\drivers\mfetdi2k.sys

15:37:25.0046 0236 mfetdi2k - ok

15:37:25.0109 0236 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

15:37:25.0125 0236 mnmdd - ok

15:37:25.0187 0236 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

15:37:25.0187 0236 Modem - ok

15:37:25.0234 0236 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

15:37:25.0234 0236 Mouclass - ok

15:37:25.0312 0236 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

15:37:25.0312 0236 mouhid - ok

15:37:25.0328 0236 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

15:37:25.0343 0236 MountMgr - ok

15:37:25.0359 0236 mraid35x - ok

15:37:25.0421 0236 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

15:37:25.0421 0236 MRxDAV - ok

15:37:25.0562 0236 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

15:37:25.0562 0236 MRxSmb - ok

15:37:25.0625 0236 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

15:37:25.0625 0236 Msfs - ok

15:37:25.0718 0236 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

15:37:25.0718 0236 MSKSSRV - ok

15:37:25.0765 0236 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

15:37:25.0781 0236 MSPCLOCK - ok

15:37:25.0828 0236 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

15:37:25.0828 0236 MSPQM - ok

15:37:25.0890 0236 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

15:37:25.0890 0236 mssmbios - ok

15:37:25.0937 0236 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

15:37:25.0937 0236 MSTEE - ok

15:37:26.0000 0236 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys

15:37:26.0000 0236 Mup - ok

15:37:26.0062 0236 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

15:37:26.0062 0236 NABTSFEC - ok

15:37:26.0156 0236 NDIS (8716356e49a665bdc7b114725b60a456) C:\WINDOWS\system32\drivers\NDIS.sys

15:37:26.0171 0236 NDIS - ok

15:37:26.0203 0236 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

15:37:26.0218 0236 NdisIP - ok

15:37:26.0281 0236 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

15:37:26.0296 0236 NdisTapi - ok

15:37:26.0390 0236 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

15:37:26.0390 0236 Ndisuio - ok

15:37:26.0421 0236 NdisWan (5526cfebb619f7f763bd6a2e1b618078) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

15:37:26.0453 0236 NdisWan - ok

15:37:26.0578 0236 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

15:37:26.0578 0236 NDProxy - ok

15:37:26.0609 0236 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

15:37:26.0625 0236 NetBIOS - ok

15:37:26.0703 0236 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

15:37:26.0703 0236 NetBT - ok

15:37:26.0796 0236 NPF (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\NPF.sys

15:37:26.0796 0236 NPF - ok

15:37:26.0843 0236 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

15:37:26.0843 0236 Npfs - ok

15:37:26.0890 0236 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

15:37:26.0906 0236 Ntfs - ok

15:37:26.0984 0236 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

15:37:26.0984 0236 Null - ok

15:37:27.0031 0236 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

15:37:27.0031 0236 NwlnkFlt - ok

15:37:27.0093 0236 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

15:37:27.0093 0236 NwlnkFwd - ok

15:37:27.0156 0236 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys

15:37:27.0156 0236 Parport - ok

15:37:27.0234 0236 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

15:37:27.0234 0236 PartMgr - ok

15:37:27.0562 0236 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

15:37:27.0578 0236 ParVdm - ok

15:37:27.0625 0236 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

15:37:27.0625 0236 PCI - ok

15:37:27.0640 0236 PCIDump - ok

15:37:27.0671 0236 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

15:37:27.0671 0236 PCIIde - ok

15:37:27.0718 0236 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

15:37:27.0718 0236 Pcmcia - ok

15:37:27.0750 0236 PDCOMP - ok

15:37:27.0765 0236 PDFRAME - ok

15:37:27.0781 0236 PDRELI - ok

15:37:27.0796 0236 PDRFRAME - ok

15:37:27.0812 0236 perc2 - ok

15:37:27.0843 0236 perc2hib - ok

15:37:28.0062 0236 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

15:37:28.0062 0236 PptpMiniport - ok

15:37:28.0093 0236 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

15:37:28.0093 0236 PSched - ok

15:37:28.0187 0236 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

15:37:28.0187 0236 Ptilink - ok

15:37:28.0437 0236 ql1080 - ok

15:37:28.0640 0236 Ql10wnt - ok

15:37:28.0734 0236 ql12160 - ok

15:37:28.0828 0236 ql1240 - ok

15:37:28.0875 0236 ql1280 - ok

15:37:29.0015 0236 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

15:37:29.0046 0236 RasAcd - ok

15:37:29.0218 0236 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

15:37:29.0234 0236 Rasl2tp - ok

15:37:29.0671 0236 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

15:37:29.0671 0236 RasPppoe - ok

15:37:29.0812 0236 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

15:37:29.0812 0236 Raspti - ok

15:37:29.0906 0236 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

15:37:29.0921 0236 Rdbss - ok

15:37:30.0062 0236 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

15:37:30.0062 0236 RDPCDD - ok

15:37:30.0187 0236 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys

15:37:30.0187 0236 RDPWD - ok

15:37:30.0312 0236 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

15:37:30.0312 0236 redbook - ok

15:37:30.0781 0236 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

15:37:30.0781 0236 Secdrv - ok

15:37:31.0046 0236 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys

15:37:31.0078 0236 Serial - ok

15:37:31.0156 0236 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

15:37:31.0156 0236 Sfloppy - ok

15:37:31.0328 0236 Simbad - ok

15:37:31.0390 0236 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

15:37:31.0390 0236 SLIP - ok

15:37:31.0515 0236 Sparrow - ok

15:37:31.0562 0236 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

15:37:31.0593 0236 splitter - ok

15:37:31.0718 0236 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

15:37:31.0718 0236 sr - ok

15:37:31.0843 0236 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys

15:37:31.0859 0236 Srv - ok

15:37:31.0906 0236 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

15:37:31.0906 0236 streamip - ok

15:37:32.0000 0236 SUEPD (c0137b5947ae3d3fc1c17ba6fdfb3dad) C:\WINDOWS\system32\DRIVERS\SUE_PD.sys

15:37:32.0000 0236 SUEPD - ok

15:37:32.0156 0236 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

15:37:32.0203 0236 swenum - ok

15:37:32.0312 0236 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

15:37:32.0312 0236 swmidi - ok

15:37:32.0375 0236 symc810 - ok

15:37:32.0468 0236 symc8xx - ok

15:37:32.0609 0236 sym_hi - ok

15:37:32.0625 0236 sym_u3 - ok

15:37:32.0703 0236 SynTP (ea447f6db6115e8a32352f9faffa824d) C:\WINDOWS\system32\DRIVERS\SynTP.sys

15:37:32.0718 0236 SynTP - ok

15:37:32.0968 0236 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

15:37:32.0984 0236 sysaudio - ok

15:37:33.0156 0236 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

15:37:33.0156 0236 Tcpip - ok

15:37:33.0281 0236 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

15:37:33.0281 0236 TDPIPE - ok

15:37:33.0453 0236 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

15:37:33.0453 0236 TDTCP - ok

15:37:33.0515 0236 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

15:37:33.0531 0236 TermDD - ok

15:37:33.0609 0236 TosIde - ok

15:37:33.0687 0236 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

15:37:33.0687 0236 Udfs - ok

15:37:33.0718 0236 ultra - ok

15:37:33.0765 0236 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

15:37:33.0781 0236 Update - ok

15:37:33.0937 0236 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys

15:37:33.0937 0236 USBAAPL - ok

15:37:34.0062 0236 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

15:37:34.0078 0236 usbccgp - ok

15:37:34.0281 0236 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

15:37:34.0281 0236 usbehci - ok

15:37:34.0375 0236 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

15:37:34.0390 0236 usbhub - ok

15:37:34.0484 0236 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

15:37:34.0484 0236 USBSTOR - ok

15:37:34.0656 0236 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

15:37:34.0671 0236 usbuhci - ok

15:37:34.0812 0236 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys

15:37:34.0828 0236 usbvideo - ok

15:37:34.0968 0236 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

15:37:34.0968 0236 VgaSave - ok

15:37:35.0234 0236 ViaIde - ok

15:37:35.0343 0236 VMC326 (4f101e48d060e318752fbc458a4b49f0) C:\WINDOWS\system32\Drivers\VMC326.sys

15:37:35.0343 0236 VMC326 - ok

15:37:35.0375 0236 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

15:37:35.0375 0236 VolSnap - ok

15:37:35.0531 0236 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

15:37:35.0531 0236 Wanarp - ok

15:37:35.0546 0236 WDICA - ok

15:37:35.0640 0236 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

15:37:35.0640 0236 wdmaud - ok

15:37:35.0812 0236 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

15:37:35.0812 0236 WSTCODEC - ok

15:37:35.0859 0236 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

15:37:35.0859 0236 WudfPf - ok

15:37:35.0906 0236 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

15:37:35.0921 0236 WudfRd - ok

15:37:36.0046 0236 yukonwxp (1661bf323aa86d1b6dd1fb6f2402d119) C:\WINDOWS\system32\DRIVERS\yk51x86.sys

15:37:36.0062 0236 yukonwxp - ok

15:37:36.0171 0236 MBR (0x1B8) (a0a345f7ab6f3bac008fb0de602e66cd) \Device\Harddisk0\DR0

15:37:36.0703 0236 \Device\Harddisk0\DR0 - ok

15:37:36.0718 0236 Boot (0x1200) (521671c426f6e0683c6b1d7a6a5dd9bf) \Device\Harddisk0\DR0\Partition0

15:37:36.0718 0236 \Device\Harddisk0\DR0\Partition0 - ok

15:37:36.0750 0236 ============================================================

15:37:36.0750 0236 Scan finished

15:37:36.0750 0236 ============================================================

15:37:36.0781 1784 Detected object count: 1

15:37:36.0781 1784 Actual detected object count: 1

15:38:42.0062 1784 Backup copy found, using it..

15:38:42.0093 1784 C:\WINDOWS\system32\DRIVERS\ipsec.sys - will be cured on reboot

15:38:48.0468 1784 IPSec ( Rootkit.Win32.ZAccess.aml ) - User select action: Cure

15:39:01.0390 0668 Deinitialize success

Link to post
Share on other sites

ComboFix.txt:

ComboFix 11-12-25.01 - Tish 12/25/2011 16:16:54.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1632 [GMT -8:00]

Running from: c:\documents and settings\Tish\Desktop\ComboFix.exe

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\install.exe

c:\windows\$NtUninstallKB27408$

c:\windows\$NtUninstallKB27408$\1979540378

c:\windows\$NtUninstallKB27408$\2832909258\@

c:\windows\$NtUninstallKB27408$\2832909258\bckfg.tmp

c:\windows\$NtUninstallKB27408$\2832909258\cfg.ini

c:\windows\$NtUninstallKB27408$\2832909258\Desktop.ini

c:\windows\$NtUninstallKB27408$\2832909258\keywords

c:\windows\$NtUninstallKB27408$\2832909258\kwrd.dll

c:\windows\$NtUninstallKB27408$\2832909258\L\zdmptpip

c:\windows\$NtUninstallKB27408$\2832909258\lsflt7.ver

c:\windows\$NtUninstallKB27408$\2832909258\U\00000001.@

c:\windows\$NtUninstallKB27408$\2832909258\U\00000002.@

c:\windows\$NtUninstallKB27408$\2832909258\U\00000004.@

c:\windows\$NtUninstallKB27408$\2832909258\U\80000000.@

c:\windows\$NtUninstallKB27408$\2832909258\U\80000004.@

c:\windows\$NtUninstallKB27408$\2832909258\U\80000032.@

c:\windows\system32\Packet.dll

c:\windows\system32\SET63.tmp

c:\windows\system32\SET6F.tmp

c:\windows\system32\wpcap.dll

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_NPF

-------\Service_NPF

.

.

((((((((((((((((((((((((( Files Created from 2011-11-26 to 2011-12-26 )))))))))))))))))))))))))))))))

.

.

2011-12-24 05:13 . 2011-12-24 05:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-12-24 05:13 . 2011-09-01 01:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-12-22 18:29 . 2011-12-22 18:32 -------- d-----w- c:\documents and settings\Administrator

2011-12-22 08:39 . 2011-12-22 08:39 50704 ----a-w- c:\windows\system32\drivers\npf.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-12-25 23:39 . 2009-04-02 00:34 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys

2011-12-10 04:22 . 2011-06-22 17:37 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-09 21:34 . 2010-06-17 23:51 348160 ----a-w- c:\windows\system32\msvcr71.dll

2011-11-09 21:34 . 2010-06-17 23:51 499712 ----a-w- c:\windows\system32\msvcp71.dll

2011-10-24 22:29 . 2011-10-24 22:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2011-10-24 22:29 . 2011-10-24 22:29 69632 ----a-w- c:\windows\system32\QuickTime.qts

2011-10-18 22:32 . 2011-01-10 22:15 150856 ----a-w- c:\windows\system32\mfevtps.exe

2011-10-15 21:16 . 2011-01-10 22:15 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2011-10-15 21:16 . 2011-01-10 22:15 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2011-10-15 21:16 . 2011-01-10 22:15 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2011-10-15 21:16 . 2011-01-10 22:15 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2011-10-15 21:16 . 2011-01-10 22:15 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2011-10-15 21:16 . 2011-01-10 22:15 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2011-10-15 21:16 . 2011-01-10 22:15 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2011-10-15 21:16 . 2011-01-10 22:15 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys

2011-10-15 21:16 . 2011-01-10 22:15 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2011-10-15 21:16 . 2011-01-10 22:15 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2011-10-10 14:22 . 2009-04-02 01:53 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-09-28 07:06 . 2009-04-02 00:34 599040 ----a-w- c:\windows\system32\crypt32.dll

2009-12-30 23:09 . 2010-01-17 18:19 2959376 ----a-w- c:\program files\dotnetfx35setup.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{b2ed7faf-72a0-46d1-9d9d-602226f5cb9f}"= "c:\program files\Vgrabber\prxtbVgra.dll" [2011-05-09 176936]

.

[HKEY_CLASSES_ROOT\clsid\{b2ed7faf-72a0-46d1-9d9d-602226f5cb9f}]

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3B061B6-A39A-439A-8098-B3710F6388F6}]

2009-10-13 21:26 1432576 ----a-w- c:\program files\Oregon State Beavers Toolbar\Toolbar.dll

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b2ed7faf-72a0-46d1-9d9d-602226f5cb9f}]

2011-05-09 09:49 176936 ----a-w- c:\program files\Vgrabber\prxtbVgra.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{8BC7446D-BEDE-476F-B34C-CE1664FDB330}"= "c:\program files\Oregon State Beavers Toolbar\Toolbar.dll" [2009-10-13 1432576]

"{b2ed7faf-72a0-46d1-9d9d-602226f5cb9f}"= "c:\program files\Vgrabber\prxtbVgra.dll" [2011-05-09 176936]

.

[HKEY_CLASSES_ROOT\clsid\{8bc7446d-bede-476f-b34c-ce1664fdb330}]

[HKEY_CLASSES_ROOT\FCTB000061651.IEToolbar.3]

[HKEY_CLASSES_ROOT\TypeLib\{68BFF8B4-A8C7-4AC9-9F01-4B193E78E115}]

[HKEY_CLASSES_ROOT\FCTB000061651.IEToolbar]

.

[HKEY_CLASSES_ROOT\clsid\{b2ed7faf-72a0-46d1-9d9d-602226f5cb9f}]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{8BC7446D-BEDE-476F-B34C-CE1664FDB330}"= "c:\program files\Oregon State Beavers Toolbar\Toolbar.dll" [2009-10-13 1432576]

"{B2ED7FAF-72A0-46D1-9D9D-602226F5CB9F}"= "c:\program files\Vgrabber\prxtbVgra.dll" [2011-05-09 176936]

.

[HKEY_CLASSES_ROOT\clsid\{8bc7446d-bede-476f-b34c-ce1664fdb330}]

[HKEY_CLASSES_ROOT\FCTB000061651.IEToolbar.3]

[HKEY_CLASSES_ROOT\TypeLib\{68BFF8B4-A8C7-4AC9-9F01-4B193E78E115}]

[HKEY_CLASSES_ROOT\FCTB000061651.IEToolbar]

.

[HKEY_CLASSES_ROOT\clsid\{b2ed7faf-72a0-46d1-9d9d-602226f5cb9f}]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"EDS"="c:\program files\Samsung\Samsung EDS\EDSAgent.exe" [2007-12-21 659456]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1044480]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]

"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2008-10-20 2768896]

"MagicKeyboard"="c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-15 151552]

"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-07-09 570664]

"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-19 2221352]

"Intel AppUp(SM) center Beta"="c:\program files\Intel\IntelAppStoreBeta\bin\serviceManager.lnk" [2010-01-17 961]

"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-11-09 273528]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-11-23 1318816]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

PHOTOfunSTUDIO.lnk - c:\program files\Panasonic\PHOTOfunSTUDIO\PhAutoRun.exe [2010-5-19 44176]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk

backup=c:\windows\pss\Bluetooth.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

2008-06-19 23:20 57344 ----a-w- c:\windows\ALCMTR.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]

2011-11-16 04:27 5960560 ----a-w- c:\program files\BitTorrent\BitTorrent.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2011-11-13 08:24 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 13:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2011-10-24 22:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

2008-08-26 20:51 16851456 ----a-w- c:\windows\RTHDCPL.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

2010-01-06 03:13 1217808 ----a-w- c:\program files\Steam\Steam.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Diablo II\\Diablo II.exe"=

"c:\\Program Files\\Oregon State Beavers Toolbar\\TroubleShooter.exe"=

"c:\\Program Files\\Oregon State Beavers Toolbar\\ToolbarUpdate.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\torchlight\\Torchlight.exe"=

"c:\\Documents and Settings\\Tish\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=

"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"6112:TCP"= 6112:TCP:D2 6112

.

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [1/10/2011 2:15 PM 89792]

R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [4/1/2009 5:59 PM 4300]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [1/21/2010 9:03 PM 94880]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [1/10/2011 2:15 PM 214904]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [1/10/2011 2:15 PM 214904]

R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [1/10/2011 2:15 PM 160608]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [1/10/2011 2:15 PM 150856]

R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc --> RUNDLL32.EXE ykx32mpcoinst,serviceStartProc [?]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [1/10/2011 2:15 PM 57600]

R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [1/14/2008 7:01 PM 30208]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [1/10/2011 2:15 PM 338176]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [1/10/2011 2:15 PM 83856]

R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [4/1/2009 6:03 PM 238464]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/7/2010 6:03 PM 136176]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/7/2010 6:03 PM 136176]

S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [1/10/2011 2:15 PM 83856]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [1/10/2011 2:15 PM 87656]

S3 SUEPD;SUE NDIS Protocol Driver;c:\windows\system32\drivers\SUE_PD.sys [8/1/2006 3:57 PM 19840]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - mfeavfk01

.

Contents of the 'Scheduled Tasks' folder

.

2011-12-23 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]

.

2011-12-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-08 02:02]

.

2011-12-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-08 02:02]

.

2011-12-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2970851898-3790793694-1500293104-1005Core.job

- c:\documents and settings\Tish\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-14 02:45]

.

2011-12-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2970851898-3790793694-1500293104-1005UA.job

- c:\documents and settings\Tish\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-14 02:45]

.

2011-12-26 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2970851898-3790793694-1500293104-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 21:40]

.

2011-12-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2970851898-3790793694-1500293104-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 21:40]

.

2011-12-25 c:\windows\Tasks\User_Feed_Synchronization-{8638EC0D-39CC-40BA-A58F-02C806F37EBC}.job

- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]

.

.

------- Supplementary Scan -------

.

uStart Page = https://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/redirectdomain?brand=SMSN&bmod=SMSN

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

TCP: DhcpNameServer = 192.168.11.1

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe

SafeBoot-39029372.sys

MSConfigStartUp-Crimeqepij - c:\windows\heabsg.dll

MSConfigStartUp-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-12-25 16:39

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1200)

c:\windows\system32\COMRes.dll

.

- - - - - - - > 'explorer.exe'(3088)

c:\windows\system32\WININET.dll

c:\progra~1\mcafee\SITEAD~1\saHook.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\btncopy.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe

c:\windows\system32\IoctlSvc.exe

c:\windows\system32\RUNDLL32.EXE

c:\program files\Common Files\McAfee\SystemCore\mcshield.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\SAMSUNG\MagicKBD\MagicKBD.exe

c:\program files\Intel\IntelAppStoreBeta\bin\serviceManager.exe

c:\program files\SAMSUNG\MagicKBD\PerformanceManager.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2011-12-25 16:44:35 - machine was rebooted

ComboFix-quarantined-files.txt 2011-12-26 00:44

.

Pre-Run: 121,841,795,072 bytes free

Post-Run: 123,311,722,496 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

.

- - End Of File - - 69F09242C3A038A13038AC8637AF4EA4

Link to post
Share on other sites

MBRCheck.txt:

MBRCheck, version 1.2.3

© 2010, AD

Command-line:

Windows Version: Windows XP Home Edition

Windows Information: Service Pack 3 (build 2600)

Logical Drives Mask: 0x00000004

Kernel Drivers (total 119):

0x804D7000 \WINDOWS\system32\ntoskrnl.exe

0x80700000 \WINDOWS\system32\hal.dll

0xF7987000 \WINDOWS\system32\KDCOM.DLL

0xF7897000 \WINDOWS\system32\BOOTVID.dll

0xF75A8000 ACPI.sys

0xF7989000 \WINDOWS\system32\DRIVERS\WMILIB.SYS

0xF7597000 pci.sys

0xF75F7000 isapnp.sys

0xF789B000 compbatt.sys

0xF789F000 \WINDOWS\system32\DRIVERS\BATTC.SYS

0xF7A4F000 pciide.sys

0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

0xF7607000 MountMgr.sys

0xF74D8000 ftdisk.sys

0xF78A3000 ACPIEC.sys

0xF7A50000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS

0xF770F000 PartMgr.sys

0xF7617000 VolSnap.sys

0xF74C0000 atapi.sys

0xF7627000 disk.sys

0xF7637000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

0xF74A0000 fltMgr.sys

0xF748E000 sr.sys

0xF741F000 mfehidk.sys

0xF7408000 KSecDD.sys

0xF7B52000 Ntfs.sys

0xF786A000 NDIS.sys

0xF7647000 Combo-Fix.sys

0xF7850000 Mup.sys

0xBA6FD000 \SystemRoot\system32\DRIVERS\intelppm.sys

0xB974A000 \SystemRoot\system32\DRIVERS\igxpmp32.sys

0xB9736000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

0xB970E000 \SystemRoot\system32\DRIVERS\HDAudBus.sys

0xB95C8000 \SystemRoot\system32\DRIVERS\athw.sys

0xB9580000 \SystemRoot\system32\DRIVERS\yk51x86.sys

0xF775F000 \SystemRoot\system32\DRIVERS\usbuhci.sys

0xB955C000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0xF7767000 \SystemRoot\system32\DRIVERS\usbehci.sys

0xBA7D8000 \SystemRoot\system32\DRIVERS\CmBatt.sys

0xBA6ED000 \SystemRoot\system32\DRIVERS\i8042prt.sys

0xF776F000 \SystemRoot\system32\DRIVERS\kbdclass.sys

0xB9525000 \SystemRoot\system32\DRIVERS\SynTP.sys

0xF79A7000 \SystemRoot\system32\DRIVERS\USBD.SYS

0xF7777000 \SystemRoot\system32\DRIVERS\mouclass.sys

0xB9454000 \SystemRoot\system32\DRIVERS\btkrnl.sys

0xBA796000 \SystemRoot\system32\DRIVERS\audstub.sys

0xB9441000 \SystemRoot\system32\DRIVERS\mfendisk.sys

0xBA6DD000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0xBA7D0000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0xB942A000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0xBA6CD000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0xF7667000 \SystemRoot\system32\DRIVERS\raspptp.sys

0xF777F000 \SystemRoot\system32\DRIVERS\TDI.SYS

0xB9419000 \SystemRoot\system32\DRIVERS\psched.sys

0xF7677000 \SystemRoot\system32\DRIVERS\msgpc.sys

0xB93EE000 \SystemRoot\system32\drivers\mfeavfk.sys

0xB939D000 \SystemRoot\system32\drivers\mfefirek.sys

0xF7787000 \SystemRoot\system32\DRIVERS\ptilink.sys

0xF778F000 \SystemRoot\system32\DRIVERS\raspti.sys

0xF7687000 \SystemRoot\system32\DRIVERS\termdd.sys

0xF79A9000 \SystemRoot\system32\DRIVERS\swenum.sys

0xB937A000 \SystemRoot\system32\DRIVERS\ks.sys

0xB931C000 \SystemRoot\system32\DRIVERS\update.sys

0xBA77D000 \SystemRoot\system32\DRIVERS\mssmbios.sys

0xF7697000 \SystemRoot\System32\Drivers\NDProxy.SYS

0xF76D7000 \SystemRoot\system32\DRIVERS\usbhub.sys

0xA8C9B000 \SystemRoot\system32\drivers\RtkHDAud.sys

0xA8C77000 \SystemRoot\system32\drivers\portcls.sys

0xF76E7000 \SystemRoot\system32\drivers\drmk.sys

0xA8C65000 \SystemRoot\system32\drivers\SamsungEDS.sys

0xF79B7000 \SystemRoot\System32\Drivers\Fs_Rec.SYS

0xF7AA0000 \SystemRoot\System32\Drivers\Null.SYS

0xF79B9000 \SystemRoot\System32\Drivers\Beep.SYS

0xF77B7000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS

0xF77BF000 \SystemRoot\System32\drivers\vga.sys

0xF79BB000 \SystemRoot\System32\Drivers\mnmdd.SYS

0xF79BD000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0xF77C7000 \SystemRoot\System32\Drivers\Msfs.SYS

0xF77CF000 \SystemRoot\System32\Drivers\Npfs.SYS

0xBA7EC000 \SystemRoot\system32\DRIVERS\rasacd.sys

0xA89AD000 \SystemRoot\system32\DRIVERS\ipsec.sys

0xA8954000 \SystemRoot\system32\DRIVERS\tcpip.sys

0xA893F000 \SystemRoot\system32\drivers\mfetdi2k.sys

0xA8919000 \SystemRoot\system32\DRIVERS\ipnat.sys

0xA88F1000 \SystemRoot\system32\DRIVERS\netbt.sys

0xF7577000 \SystemRoot\system32\DRIVERS\wanarp.sys

0xA88B6000 \SystemRoot\System32\Drivers\VMC326.sys

0xA8894000 \SystemRoot\System32\drivers\afd.sys

0xF7567000 \SystemRoot\system32\DRIVERS\netbios.sys

0xA8869000 \SystemRoot\system32\DRIVERS\rdbss.sys

0xA87F9000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0xF7537000 \SystemRoot\System32\Drivers\Fips.SYS

0xBA74D000 \SystemRoot\System32\Drivers\btwusb.sys

0xA87B9000 \SystemRoot\System32\Drivers\dump_atapi.sys

0xF79F3000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS

0xBF800000 \SystemRoot\System32\win32k.sys

0xA8A40000 \SystemRoot\System32\drivers\Dxapi.sys

0xF77FF000 \SystemRoot\System32\watchdog.sys

0xBF000000 \SystemRoot\System32\drivers\dxg.sys

0xF7A87000 \SystemRoot\System32\drivers\dxgthk.sys

0xBF024000 \SystemRoot\System32\igxpgd32.dll

0xBF012000 \SystemRoot\System32\igxprd32.dll

0xBF04F000 \SystemRoot\System32\igxpdv32.DLL

0xBF1E7000 \SystemRoot\System32\igxpdx32.DLL

0xBF47A000 \SystemRoot\System32\ATMFD.DLL

0xBA79B000 \??\C:\WINDOWS\system32\MEMIO.SYS

0xA86BD000 \SystemRoot\system32\DRIVERS\ndisuio.sys

0xA841C000 \SystemRoot\system32\DRIVERS\mrxdav.sys

0xA8227000 \SystemRoot\system32\drivers\wdmaud.sys

0xA82EC000 \SystemRoot\system32\drivers\sysaudio.sys

0xA812F000 \SystemRoot\system32\DRIVERS\srv.sys

0xA7A2F000 \SystemRoot\system32\drivers\cfwids.sys

0xA7849000 \SystemRoot\System32\Drivers\HTTP.sys

0xA7640000 \SystemRoot\system32\drivers\mfeapfk.sys

0xA75AA000 \SystemRoot\system32\drivers\mfebopk.sys

0xF7757000 \??\C:\ComboFix\catchme.sys

0xF798F000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS

0xA706F000 \SystemRoot\system32\drivers\kmixer.sys

0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 48):

0 System Idle Process

4 System

1088 C:\WINDOWS\system32\smss.exe

1176 csrss.exe

1200 C:\WINDOWS\system32\winlogon.exe

1244 C:\WINDOWS\system32\services.exe

1256 C:\WINDOWS\system32\lsass.exe

1420 C:\WINDOWS\system32\svchost.exe

1516 svchost.exe

1556 C:\WINDOWS\system32\svchost.exe

1580 C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

1660 svchost.exe

1740 svchost.exe

144 C:\WINDOWS\system32\spoolsv.exe

316 svchost.exe

520 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

572 C:\Program Files\Bonjour\mDNSResponder.exe

712 C:\Program Files\Java\jre6\bin\jqs.exe

760 C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

900 C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

1104 C:\WINDOWS\system32\mfevtps.exe

1156 C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

1636 C:\WINDOWS\system32\IoctlSvc.exe

1736 C:\WINDOWS\system32\svchost.exe

1900 C:\WINDOWS\system32\rundll32.exe

1984 C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

2040 C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

2572 C:\WINDOWS\system32\rundll32.exe

2872 alg.exe

2652 C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe

2664 C:\WINDOWS\system32\igfxtray.exe

2688 C:\WINDOWS\system32\hkcmd.exe

2704 C:\WINDOWS\system32\igfxpers.exe

2772 C:\WINDOWS\system32\igfxsrvc.exe

2780 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

3336 C:\Program Files\Samsung\MagicKBD\MagicKBD.exe

3428 C:\Program Files\Intel\IntelAppStoreBeta\bin\serviceManager.exe

3436 C:\Program Files\Samsung\MagicKBD\PerformanceManager.exe

3464 C:\Program Files\Real\RealPlayer\Update\realsched.exe

3496 C:\Program Files\McAfee.com\Agent\mcagent.exe

1476 C:\Program Files\iTunes\iTunesHelper.exe

2676 C:\Program Files\Panasonic\PHOTOfunSTUDIO\PhAutoRun.exe

1956 C:\WINDOWS\system32\wuauclt.exe

3164 C:\WINDOWS\system32\svchost.exe

2052 C:\Program Files\iPod\bin\iPodService.exe

3088 C:\WINDOWS\explorer.exe

3248 C:\WINDOWS\system32\ctfmon.exe

3256 C:\Documents and Settings\Tish\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`805e2000 (NTFS)

PhysicalDrive0 Model Number: SAMSUNGHM160HI, Rev: HH100-06

Size Device Name MBR Status

--------------------------------------------

149 GB \\.\PhysicalDrive0 Unknown MBR code

SHA1: 1F2FD3C21FE928E83C3385B4ED6174F3295CA60A

Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Options:

[1] Dump the MBR of a physical disk to file.

[2] Restore the MBR of a physical disk with a standard boot code.

[3] Exit.

Enter your choice: Enter the physical disk number to dump (0-99, -1 to exit): -1

Done!

Link to post
Share on other sites

Merry Christmas D-FRED-BROWN, and thank you so much for the help.

No problem, and Merry Christmas to you as well! :)

One note about McAfee - I have McAfee Antivirus Plus (offered free from my employer), and there is no option to completely Exit it from the taskbar. The best I can do is open it, and disable active scanning, which I did before running Combofix, so hopefully that was enough to prevent bad interactions (as I said, Combofix seemed to run normally and remove several files, as shown in the log file).

No worries. It doesn't appear to have conflicted with ComboFix, so it should be fine if you leave it on there ;).

As you observed, ComboFix and TDSSKiller cleared out the main infection.

Your MBRCheck log shows a suspicious entry that I'd like to take a deeper look at.

Please do the following:

----------

Please do the following:

  • Please download aswMBR.exe from here and save it to your Desktop.
  • Double click aswMBR.exe to start the tool. (Vista - Win 7 Rt click to run as Administrator)
  • Click Scan
  • Upon completion of the scan, click Save log and save it to your Desktop, and post that log in your next reply. Do NOT attempt any Fix at this time!
  • This will also create a file on your Desktop named MBR.dat. Right click that file and select Send To->Compressed (zipped) folder. Attach that zipped folder in your next reply as well.

----------

Next, please dump the MBR using MBRCheck:

Run MBRCheck.exe once again.

You will be presented with the following dialog:

Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Enter Y and press Enter.

The following dialog will be presented:

Options:

[1] Dump the MBR of a physical disk to file.

[2] Restore the MBR of a physical disk with a standard boot code.

[3] Exit.

Enter your choice:

Enter 1 and press Enter

The following dialog will be presented:

Enter the physical disk number to fix (0-99, -1 to cancel):

Enter 0 (zero) and press Enter

The following dialog will be presented:

Enter filename to dump to:

Type mbr-dump.dat and press Enter

The following dialog will be presented:

Dumped successfully!

Enter the physical disk to dump (0-99, -1 to exit):

Enter -1 and press Enter

And last the following dialog will be presented:

Done! Press ENTER to exit...

Press Enter.

A file mbr-dump.dat will be produced on the desktop. Now you have to compress this file:

  • Right click on it
  • Navigate and select Send to
  • Then navigate and select Compressed (zipped) Folder
  • A file mbr-dump.zip will be produced on the desktop

Please attach this file (mbr-dump.zip) in your next reply.

----------

In your next reply, please include:

  • aswMBR report & MBR.dat zip file
  • mbr-dump.dat zip file

Link to post
Share on other sites

Here's the aswMBR.txt file, and the two zip files are attached. You didn't mention the dialog box asking if I wanted to download the Avast! virus definitions for aswMBR, but it was recommended so I did so.

aswMBR.txt:

aswMBR version 0.9.9.1120 Copyright© 2011 AVAST Software

Run date: 2011-12-25 18:41:07

-----------------------------

18:41:07.187 OS Version: Windows 5.1.2600 Service Pack 3

18:41:07.187 Number of processors: 2 586 0x1C02

18:41:07.187 ComputerName: MINI_ME UserName: Tish

18:41:08.640 Initialize success

18:50:04.593 AVAST engine defs: 11122501

18:50:12.843 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

18:50:12.843 Disk 0 Vendor: SAMSUNG_HM160HI HH100-06 Size: 152627MB BusType: 3

18:50:14.875 Disk 0 MBR read successfully

18:50:14.875 Disk 0 MBR scan

18:50:14.906 Disk 0 unknown MBR code

18:50:14.921 Disk 0 Partition 1 00 12 Compaq diag NTFS 6149 MB offset 63

18:50:14.953 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 146476 MB offset 12594960

18:50:14.968 Disk 0 scanning sectors +312579760

18:50:15.062 Disk 0 scanning C:\WINDOWS\system32\drivers

18:50:26.078 Service scanning

18:50:27.406 Modules scanning

18:50:35.187 Disk 0 trace - called modules:

18:50:35.218 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS

18:50:35.218 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a592ab8]

18:50:35.218 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\0000006e[0x8a5674b0]

18:50:35.234 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a548940]

18:50:35.890 AVAST engine scan C:\WINDOWS

18:50:55.734 AVAST engine scan C:\WINDOWS\system32

18:53:49.218 AVAST engine scan C:\WINDOWS\system32\drivers

18:54:07.765 AVAST engine scan C:\Documents and Settings\Tish

19:04:00.828 AVAST engine scan C:\Documents and Settings\All Users

19:08:45.093 Scan finished successfully

19:19:42.828 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Tish\Desktop\MBR.dat"

19:19:42.843 The log file has been saved successfully to "C:\Documents and Settings\Tish\Desktop\aswMBR.txt"

MBR.zip

mbr-dump.zip

Link to post
Share on other sites

Let's run the following programs to give us some more info:

Please do the following:

  • Download GMER from here. Save it to your Desktop. Take note of the filename, as it is a randomly named .exe file.
  • Disconnect from the Internet and close all running programs while scan is running.
  • Make sure all antivirus and other real-time security programs are disabled. See here for directions.
  • Double-click on the downloaded file to start the program. (If running Vista or Win 7, right click on it and Run as an Administrator)
  • If possible rootkit activity is found, you will be asked if you would like to perform a full scan.-->Click on NO, then use the following settings for a more complete scan:
    gmer_screen2-1.gif
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)

    [*]Click the Scan button to begin. (Please be patient: this can take some time.[*]When the scan is finished, click Save and type in gmer.txt and save to Desktop and copy/paste the contents in your next reply.

Note!: These types of scans can produce false positives. Do not take any action until a trained helper has seen the log.

---------

icon13.gifPlease close all anti virus, anti malware and any other open programs/windows so they do not interfere with the running of RootRepeal.

  • Please download RootRepeal.zip from here.
  • Extract the program file to your Desktop.
  • Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.
    nclahc.gif
  • Select ALL of the checkboxes and then click OK and it will start scanning your system.
    2j5lb6.gif
  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  • When done, click on Save Report
  • Save it to the Desktop.
  • Please copy/paste the contents of the report in your next reply.

icon13.gifNOTE! Please remove any e-mail address in the RootRepeal report (if present).

---------

Please include both the GMER and RootRepeal reports in your next reply. ;)

Link to post
Share on other sites

Here are the two log files. When I run RootRepeal, I immediately get a pop-up window with this message:

Error - Invalid PE image found!

I click OK to make the pop-up window go away, at which point I'm in the program, so I did the scan as you instructed.

Anyway, here are the two log files:

gmer.txt:

GMER 1.0.15.15641 - http://www.gmer.net

Rootkit scan 2011-12-26 19:32:30

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 SAMSUNG_HM160HI rev.HH100-06

Running: qh0slqjy.exe; Driver: C:\DOCUME~1\Tish\LOCALS~1\Temp\pgldypod.sys

---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF745F4C0]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF745F4D4]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF745F500]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF745F4AC]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF745F484]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF745F498]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF745F4EA]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF745F52C]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF745F516]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[1804] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 624199A1 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)

.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[1804] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419A63 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)

.text C:\program files\real\realplayer\update\realsched.exe[2928] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

rootrepeal.txt:

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2011/12/26 19:36

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xA8836000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF79D9000 Size: 8192 File Visible: No Signed: -

Status: -

Name: Mup.sys

Image Path: Mup.sys

Address: 0xF7850000 Size: 105472 File Visible: - Signed: -

Status: Hidden from the Windows API!

Name: Ntfs.sys

Image Path: Ntfs.sys

Address: 0xF7B52000 Size: 574976 File Visible: - Signed: -

Status: Hidden from the Windows API!

Name: pgldypod.sys

Image Path: C:\DOCUME~1\Tish\LOCALS~1\Temp\pgldypod.sys

Address: 0xA7259000 Size: 100864 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xA7068000 Size: 49152 File Visible: No Signed: -

Status: -

Hidden/Locked Files

-------------------

Path: C:\hiberfil.sys

Status: Locked to the Windows API!

Path: c:\windows\temp\perflib_perfdata_354.dat

Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Program Files\Yahoo! Games\Coffee Buzz\CoffeeBuzz.exe:{AED9825D-6194-8B0C-8264-AEF12EF94496}

Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{20176D02-4AD7-40FD-8F7B-BF65468FAD41}\RP290\A0117286.exe:{AED9825D-6194-8B0C-8264-AEF12EF94496}

Status: Visible to the Windows API, but not on disk.

==EOF==

Link to post
Share on other sites

Here are the two log files. When I run RootRepeal, I immediately get a pop-up window with this message:

Error - Invalid PE image found!

Don't worry about that, its a meaningless error ;).

Let's run one more rootkit scan before we move on to the next step:

Download Rootkit Unhooker and save it to your Desktop.

Close all open programs and browsers, then double-click RKUnhookerLE.exe to run it.

Vista/Windows 7 users right-click and select Run As Administrator.

  • Click the Report tab, then click Scan
  • Check Drivers, Stealth Code, Files, and Code Hooks
  • UNcheck the rest, then click OK
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait until the scanner has finished then go File > Save Report
  • Save the report somewhere you can find it. Click Close
  • Copy the entire contents of the report and paste it in your next reply.
    Note: You may get the following warning---just ignore it, click OK and continue. Rootkit Unhooker has detected a parasite inside itself!
    It is recommended to remove parasite, okay?

Link to post
Share on other sites

Here is the log file from running RkUnhooker:

RkU Version: 3.8.389.593, Type LE (SR2)

==============================================

OS Name: Windows XP

Version 5.1.2600 (Service Pack 3)

Number of processors #2

==============================================

>Drivers

==============================================

0xB97F1000 C:\WINDOWS\system32\DRIVERS\igxpmp32.sys 5857280 bytes (Intel Corporation, Intel Graphics Miniport Driver)

0xA8D42000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 4923392 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)

0xBF1E7000 C:\WINDOWS\System32\igxpdx32.DLL 2699264 bytes (Intel Corporation, DirectDraw® Driver for Intel® Graphics Technology)

0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2265088 bytes (Microsoft Corporation, NT Kernel & System)

0x804D7000 PnpManager 2265088 bytes

0x804D7000 RAW 2265088 bytes

0x804D7000 WMIxWDM 2265088 bytes

0xBF800000 Win32k 1859584 bytes

0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)

0xBF04F000 C:\WINDOWS\System32\igxpdv32.DLL 1671168 bytes (Intel Corporation, Component GHAL Driver)

0xA7113000 C:\WINDOWS\system32\DRIVERS\athw.sys 1335296 bytes (Atheros Communications, Inc., Driver for Atheros AR5008 Wireless Network Adapter)

0xB94FB000 C:\WINDOWS\system32\DRIVERS\btkrnl.sys 856064 bytes (Broadcom Corporation., Bluetooth Bus Enumerator)

0xF7B52000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)

0xA88BB000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)

0xF741F000 mfehidk.sys 454656 bytes (McAfee, Inc., McAfee Link Driver)

0xB93C3000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)

0xA89DB000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)

0xA8042000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)

0xB9444000 C:\WINDOWS\system32\drivers\mfefirek.sys 331776 bytes (McAfee, Inc., McAfee Core Firewall Engine Driver)

0xB9627000 C:\WINDOWS\system32\DRIVERS\yk51x86.sys 294912 bytes (Marvell, Miniport Driver for Marvell Yukon Ethernet Controller.)

0xBF47A000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)

0xA7865000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)

0xA8880000 C:\WINDOWS\System32\Drivers\VMC326.sys 241664 bytes (Vimicro Corporation, Vimicro USB Video Class Camera)

0xB95CC000 C:\WINDOWS\system32\DRIVERS\SynTP.sys 225280 bytes (Synaptics, Inc., Synaptics Touchpad Driver)

0xF75A8000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)

0xA8499000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)

0xF786A000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)

0xBF024000 C:\WINDOWS\System32\igxpgd32.dll 176128 bytes (Intel Corporation, Intel Graphics 2D Driver)

0xA6D4B000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)

0xB9495000 C:\WINDOWS\system32\drivers\mfeavfk.sys 176128 bytes (McAfee, Inc., Anti-Virus File System Filter Driver)

0xA892B000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)

0xB97B5000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)

0xA8978000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)

0xA89A0000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)

0xA8D1E000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))

0xB9603000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)

0xB9421000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)

0xA8956000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)

0x80700000 ACPI_HAL 134400 bytes

0x80700000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)

0xF74A0000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)

0xF74D8000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)

0xA6D76000 C:\WINDOWS\system32\drivers\mfeapfk.sys 114688 bytes (McAfee, Inc., Access Protection Filter Driver)

0xF7850000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)

0xA7259000 C:\DOCUME~1\Tish\LOCALS~1\Temp\pgldypod.sys 102400 bytes

0xF74C0000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)

0xA8836000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes

0xF7408000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)

0xB94D1000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))

0xA89C6000 C:\WINDOWS\system32\drivers\mfetdi2k.sys 86016 bytes (McAfee, Inc., Anti-Virus Mini-Firewall Driver)

0xA83BC000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)

0xB97DD000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)

0xA8A34000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)

0xB94E8000 C:\WINDOWS\system32\DRIVERS\mfendisk.sys 77824 bytes (McAfee, Inc., McAfee NDIS Intermediate Driver)

0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)

0xBF012000 C:\WINDOWS\System32\igxprd32.dll 73728 bytes (Intel Corporation, Intel Graphics 2D Rotation Driver)

0xA8D0C000 C:\WINDOWS\system32\drivers\SamsungEDS.sys 73728 bytes (Samsung Electronics,.LTD, EDS Filter Driver (DNSe V47))

0xF748E000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)

0xF7597000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)

0xB94C0000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)

0xF7527000 C:\WINDOWS\System32\Drivers\btwusb.sys 65536 bytes (Broadcom Corporation., Driver for Bluetooth USB Devices)

0xF76E7000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)

0xA87DE000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)

0xF76D7000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)

0xA7BBA000 C:\WINDOWS\system32\drivers\cfwids.sys 53248 bytes (McAfee, Inc., McAfee Personal Firewall IDS Plugin)

0xF7637000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)

0xBA133000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)

0xBA123000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)

0xF7617000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)

0xF7657000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)

0xF7537000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)

0xF7607000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)

0xBA113000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)

0xF75F7000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)

0xF7697000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)

0xF7677000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)

0xA72BD000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)

0xF7627000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)

0xBA143000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)

0xF7667000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)

0xF7567000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)

0xF7577000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)

0xF779F000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)

0xF7737000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)

0xF7787000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)

0xF7707000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)

0xF773F000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)

0xF7747000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)

0xF781F000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)

0xF778F000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)

0xF7797000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)

0xF770F000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)

0xF7757000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)

0xF775F000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)

0xF774F000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)

0xF77EF000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)

0xF789F000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)

0xBA7CC000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)

0xBA7B0000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)

0xA8722000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)

0xF78A3000 ACPIEC.sys 12288 bytes (Microsoft Corporation, ACPI Embedded Controller Driver)

0xF7897000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)

0xF789B000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)

0xB939A000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)

0xBA7C4000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)

0xBA7E0000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)

0xF79C5000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)

0xF79D9000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes

0xF79C3000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)

0xF79E5000 C:\WINDOWS\System32\Drivers\hiber_WMILIB.SYS 8192 bytes

0xF7987000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)

0xF79C7000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)

0xF79C9000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)

0xF79B1000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)

0xF79AD000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)

0xF7989000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)

0xF7A88000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)

0xA887B000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)

0xF7A9E000 C:\WINDOWS\system32\MEMIO.SYS 4096 bytes

0xF7A84000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)

0xF7A50000 C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS 4096 bytes (Microsoft Corporation, ACPI Operation Registration Driver)

0xF7A4F000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)

==============================================

>Stealth

==============================================

==============================================

>Files

==============================================

!-->[Hidden] C:\Documents and Settings\Tish\Application Data\Real\Update\UpgradeHelper\RealPlayer\9.00\rnupgagent.exe

!-->[Hidden] C:\Documents and Settings\Tish\Application Data\Real\Update\UpgradeHelper\RealPlayer\9.00\stub_data\chrome.cab

!-->[Hidden] C:\Documents and Settings\Tish\Application Data\Real\Update\UpgradeHelper\RealPlayer\9.00\stub_data\gtb.cab

!-->[Hidden] C:\Documents and Settings\Tish\Application Data\Real\Update\UpgradeHelper\RealPlayer\9.00\stub_data\nss.cab

!-->[Hidden] C:\Documents and Settings\Tish\Application Data\Real\Update\UpgradeHelper\RealPlayer\9.00\stub_data\RealPlayer.exe

!-->[Hidden] C:\Documents and Settings\Tish\Application Data\Real\Update\UpgradeHelper\RealPlayer\9.00\stub_data\stubinst_config_en.xml

!-->[Hidden] C:\Documents and Settings\Tish\Application Data\Real\Update\UpgradeHelper\RealPlayer\9.00\stub_data\stubinst_pkg_en-us.cab

!-->[Hidden] C:\Documents and Settings\Tish\Application Data\Real\Update\UpgradeHelper\RealPlayer\9.00\stub_exe\RealPlayer.exe

!-->[Hidden] C:\Qoobox\BackEnv\AppData.folder.dat

!-->[Hidden] C:\Qoobox\BackEnv\Cache.folder.dat

!-->[Hidden] C:\Qoobox\BackEnv\Cookies.folder.dat

!-->[Hidden] C:\Qoobox\BackEnv\Desktop.folder.dat

!-->[Hidden] C:\Qoobox\BackEnv\Favorites.folder.dat

!-->[Hidden] C:\Qoobox\BackEnv\History.folder.dat

!-->[Hidden] C:\Qoobox\BackEnv\LocalAppData.folder.dat

!-->[Hidden] C:\Qoobox\BackEnv\LocalSettings.folder.dat

!-->[Hidden] C:\Qoobox\BackEnv\Music.folder.dat

!-->[Hidden] C:\Qoobox\BackEnv\NetHood.folder.dat

!-->[Hidden] C:\Qoobox\BackEnv\Personal.folder.dat

!-->[Hidden] C:\Qoobox\BackEnv\Pictures.folder.dat

!-->[Hidden] C:\Qoobox\BackEnv\PrintHood.folder.dat

!-->[Hidden] C:\Qoobox\BackEnv\Profiles.Folder.dat

!-->[Hidden] C:\Qoobox\BackEnv\Profiles.Folder.folder.dat

!-->[Hidden] C:\Qoobox\BackEnv\Programs.folder.dat

!-->[Hidden] C:\Qoobox\BackEnv\Recent.folder.dat

!-->[Hidden] C:\Qoobox\BackEnv\SendTo.folder.dat

!-->[Hidden] C:\Qoobox\BackEnv\SetPath.bat

!-->[Hidden] C:\Qoobox\BackEnv\StartMenu.folder.dat

!-->[Hidden] C:\Qoobox\BackEnv\StartUp.folder.dat

!-->[Hidden] C:\Qoobox\BackEnv\SysPath.dat

!-->[Hidden] C:\Qoobox\BackEnv\Templates.folder.dat

!-->[Hidden] C:\Qoobox\BackEnv\VikPev00

==============================================

>Hooks

==============================================

ntoskrnl.exe+0x00005B22, Type: Inline - RelativeJump 0x804DCB22-->804DCB29 [ntoskrnl.exe]

ntoskrnl.exe-->NtCreateKey, Type: Inline - RelativeJump 0x80578AB4-->F745F4C4 [mfehidk.sys]

ntoskrnl.exe-->NtDeleteKey, Type: Inline - RelativeJump 0x8059A5C9-->F745F4D8 [mfehidk.sys]

ntoskrnl.exe-->NtDeleteValueKey, Type: Inline - RelativeJump 0x805991E8-->F745F504 [mfehidk.sys]

ntoskrnl.exe-->NtOpenKey, Type: Inline - RelativeJump 0x80572BDF-->F745F4B0 [mfehidk.sys]

ntoskrnl.exe-->NtOpenProcess, Type: Inline - RelativeJump 0x8057F93A-->F745F488 [mfehidk.sys]

ntoskrnl.exe-->NtOpenThread, Type: Inline - RelativeJump 0x80596743-->F745F49C [mfehidk.sys]

ntoskrnl.exe-->NtRenameKey, Type: Inline - RelativeJump 0x8065684C-->F745F4EE [mfehidk.sys]

ntoskrnl.exe-->NtSetSecurityObject, Type: Inline - RelativeJump 0x805E8694-->F745F530 [mfehidk.sys]

ntoskrnl.exe-->NtSetValueKey, Type: Inline - RelativeJump 0x80580088-->F745F51A [mfehidk.sys]

[1804]McSvHost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->624199A1 [McProxy.dll]

[1804]McSvHost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->62419A63 [McProxy.dll]

[1896]mfevtps.exe-->crypt32.dll-->advapi32.dll-->RegQueryValueExW, Type: IAT modification 0x77A81044-->0040A4B0 [mfevtps.exe]

[1896]mfevtps.exe-->crypt32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77A81190-->0040A510 [mfevtps.exe]

[3272]realsched.exe-->kernel32.dll-->SetUnhandledExceptionFilter, Type: Inline - PushRet 0x7C84495D-->EC810004 [unknown_code_page]

[480]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->5CB77774 [shimeng.dll]

[480]explorer.exe-->crypt32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77A81188-->5CB77774 [shimeng.dll]

[480]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->5CB77774 [shimeng.dll]

[480]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->5CB77774 [shimeng.dll]

[480]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->5CB77774 [shimeng.dll]

[480]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->5CB77774 [shimeng.dll]

[480]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D9314B0-->5CB77774 [shimeng.dll]

[480]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->5CB77774 [shimeng.dll]

Link to post
Share on other sites

Looking good! ;)

Now, let's see what programs of yours need updating; out-of-date applications leave you extremely vulnerable to getting infected again:

Please download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Link to post
Share on other sites

Awesome. One quick question before I do so, since we're at the point of potentially updating things. In the last few days, after starting this process, I've gotten a Windows Update notice that it wants to provide several updates to XP. Among these are 'Cumulative Security Update for ActiveX Killbits for Windows XP', 'Cumulative Security Update for Internet Explorer 8 for Windows XP', 'Windows Malicious Software Removal tool - December 2011', one 'Update for Windows XP' and five 'Security Update for Windows XP' of various KB* identifiers.

I've held off on applying these since I figure we want a stable machine image for debugging.

Should I go ahead and apply these now before checking for needed program updates, or wait until you give the all-clear?

Thanks,

Jim

Link to post
Share on other sites

Ok, Windows is updated, and I ran Security Check, and this is what it had to say:

Results of screen317's Security Check version 0.99.30

Windows XP Service Pack 3 x86

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

McAfee AntiVirus Plus

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 24

Java version out of date!

Adobe Reader 8 Adobe Reader out of date!

````````````````````````````````

Process Check:

objlist.exe by Laurent

``````````End of Log````````````

Link to post
Share on other sites

As we wrap all this up I will provide you with some information to help you better secure your computer, but first, let's update your programs:

---------

Java is out of date and older versions contain vulnerabilities. Please update to the newest version.

Download the newest version from here http://www.oracle.com/technetwork/java/javase/downloads/index.html.

It's important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.

Go to Start > Control Panel and open Add or Remove Programs.

Search in the list for all previous installed versions of Java. (J2SE Runtime Environment).

They will have this icon next to them: javaicon.gif

Select each in turn and click Remove.

Once old versions are gone, please install the newest version.

---------

You're using an old version of Adobe Acrobat Reader, this can leave your PC open to vulnerabilities, you can update it here (uninstall version 7.0 first):

Adobe Reader X

Note: I suggest you uncheck an optional, third-party download (eg. McAfee Security Scan Plus).

After successfully installing Adobe Reader X, see this article on how to make this program more secure: Adobe Reader X secures itself by playing in the sandbox.

---------

Before we move on to the next step, please let me know how the updates went, as failed updates may indicate additional malware.

Link to post
Share on other sites

Glad to hear things went well :).

Since the updates were successful and you are now clean, I will now provide you with some suggestions for security software, but first, please make sure ComboFix is uninstalled:

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

-------------

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future. :)

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.

It is really dangerous to go online without an antivirus. Without one, you are extremely likely to get infected and the consequences could be even worse next time. All of the following are excellent free antiviruses. Be sure to only install one.

avast!.

AntiVir

AVG

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Spybot-Search & Destroy

A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features if you don't have the resident part of another anti-spyware program running.

SpywareBlaster

A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

SpywareGuard

A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.

Please, consider maintaining a firewall with HIPS (Host Intrusion Prevention Systems). Firewalls are extremely important and are the first part of your computer's defense. HIPS stops malware by monitoring its behavior and it's very important, too.

A firewall is a software program or piece of hardware that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet.

If you are using the Windows Firewall please note that it doesn't monitor or block outbound traffic and is therefore less effective than other free alternatives.

These firewalls are good and do have free versions available

A tutorial on understanding and using firewalls may be found here.

If you use Internet Explorer, it is a good idea to use IE-Spyad for ZonedOut which provides protections against malicious websites. (Requires 2 downloads)

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option.

If you are interested, Firefox may be downloaded from here

Opera is available here: http://www.opera.com/download/

For much more useful information, please also read Tony Klein's excellent article: How did I get infected in the first place

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help. :)

Link to post
Share on other sites

  • 5 weeks later...

Sorry I left you hanging last month, having a working computer can do that!

No, there have been no further issues. I just did my post-Christmas finances and left a small donation, and just took advantage of the MWB sale to buy the pro version. Thanks again for all the wonderful help.

Jim

Link to post
Share on other sites

Sorry I left you hanging last month, having a working computer can do that!

No problem! I'm glad to hear your issues are resolved :)

No, there have been no further issues. I just did my post-Christmas finances and left a small donation, and just took advantage of the MWB sale to buy the pro version. Thanks again for all the wonderful help.

Many thanks for your generosity. It was a pleasure to work with you :).

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.